status of flash9/flash10 support in RELENG_7 ?
Ben Morrow
ben at morrow.me.uk
Mon Aug 10 17:41:30 UTC 2009
Quoth Harald <hawei at free.fr>:
> On Sun, Aug 09, 2009 at 11:04:52PM +0100, Ben Morrow wrote:
>
> > I was about to say 'I believe the vuxml entry for firefox is incorrect',
> > but I see it's been fixed. Neither 3.0.13 nor 3.5.2 are vulnerable, and
> > vuxml now correctly reports this.
>
> Today security/vuxml/vuln.xml says:
>
> <affects>
> <package>
> <name>firefox</name>
> <name>linux-firefox</name>
> <range><lt>3.*,1</lt></range>
> <range><gt>3.*,1</gt><lt>3.0.13,1</lt></range>
> <range><gt>3.5.*,1</gt><lt>3.5.2,1</lt></range>
> </package>
>
> 1. Could someone tell me the meaning of the ``*'' values please ?
> I can't see the logic of the range lines.
3.* is the lowest possible version starting with '3.': in particular,
it's less than 3.0 and less than 3.a . So the <lt>3.*,1</lt> will match
anything less than firefox3. The next two lines deal with the specifics
of which firefox3 versions are vulnerable.
> 2. Yesterday I installed firefox quickly with ``pkg_add -r firefox3''
> and got firefox-3.0.10,1.
> Portaudit declares it vulnerable which seems to correspond
> to the second range line.
> I guess I have to compile firefox3 to be clean ?
3.0.10,1 is vulnerable, yes. If there aren't packages for 3.0.13,1 yet
you will need to compile it yourself.
Ben
More information about the freebsd-stable
mailing list